In the field of network security, computerized tools are often used to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. A network intrusion detection system (NIDS) is an example of a computerized network security tool—which can be implemented as a networked device or software application—that monitors a network or systems for detecting malicious activity or policy violations. A network intrusion prevention system (NIPS) is another example of a computerized network security tool—which can be implemented as a networked device or software application—that aims to prevent such malicious activity or policy violations. These computerized network security tools are collectively referred to herein as network security systems.
Snort is an open source network security system that can, in different modes, read and display network packets on Internet Protocol (IP) networks (sniffing); log network packets (packet logging); and monitor and analyze network traffic (intrusion detection). Snort is known to those skilled in the network security art and thus is not further described herein for the sake of brevity.
In a network security system, log data is a massive unstructured data source that contains a lot of security information. However, log data is difficult to consume for the purpose of threat detection even for network security analysts due to the massive size in volume, the terse nature of security and application logging, and the difficulties humans face in recognizing those security issues and correlating them to intrusion detection system (IDS) event data. Consequently, there is room for innovations and improvement.